Finding command and control center computers by communication link tracking

摘要

Methods, systems, and apparatus, including computer programs encoded on computer storage media for identifying malware attacks collects data traffic information. A system receives data traffic information indicative of communications between computers within a network and computers external to the network. The system parses the data traffic information to identify communication links between the computers within the network and computers external to the network. The system can generate communication link profiles for each of the computers within the network. The system can then group computers within the network into computer clusters based on similarities between the communication link profiles for each computer. The system can identify computer clusters having anomalous communication patterns as being indicative of a malware attack.

主权项

1. A computer-implemented method, comprising:
determining a communication link profile for each of a plurality of internal computers located within a network, the communication link profile for each internal computer comprising a representation of a set of computers that have communicated with the internal computer; grouping the internal computers into computer clusters based on similarities in communication link profiles for each internal computer, wherein computers having communication link profiles that reach a threshold level of similarity are grouped into a same cluster; determining that communication link profiles associated with internal computers in a first computer cluster deviate from communication link profiles associated with internal computers that are not included in the first computer cluster by more than a specified threshold deviation value; and identifying the first computer cluster as including internal computers having communication link profiles indicative of a malware attack based on the determination that communication link profiles associated with internal computers in the first computer cluster deviate from communication link profiles associated with internal computers that are not included in the first computer cluster by more than the specified threshold deviation value.